Unable to decrypt credentials file when using pass backend
doolio opened this issue · comments
- I am using the latest release of AWS Vault
Yes, v7.2.0 installed via asdf
.
$ aws-vault --version
v7.2.0
- I have provided my
.aws/config
(redacted if necessary)AWS_CONFIG_FILE="${XDG_CONFIG_HOME}/aws/config"
[default]
region = us-east-1
output = json
[profile iamadmin-saa-mgmt]
[profile iamadmin-saa-prod]
I also have the following environment variables set:
AWS_VAULT_BACKEND="pass"
AWS_VAULT_PASS_PREFIX="aws-vault" # set because I already have an existing password-store
My profile credentials are stored in
~/.password-store/aws-vault/iamadmin-saa-mgmt
~/.password-store/aws-vault/iamadmin-saa-prod
$ aws-vault list
Profile Credentials Sessions
======= =========== ========
default - -
iamadmin-saa-mgmt iamadmin-saa-mgmt -
iamadmin-saa-prod iamadmin-saa-prod -
- I have provided the debug output using
aws-vault --debug
(redacted if necessary)
I checked #686 and I already had $GPG_TTY=$(tty)
set and exported so not the same issue. Now my primary GPG key is stored in a Trezor model-T and am prompted on it when I need to decrypt a file in my password-store. This works well when not using aws-vault
because my password-store was initialised with my TREZOR-based GPG identity.
However, you can see from the aws-vault
command output above it is not working when aws-vault
is in the loop. What is the significance of the --prompt
flag? I understand from #1185 one use to be able to set this to "pass". Could the removal of this option be why I don't get prompted on my hardware based token.
I don't think the mfa_process
option will work as I'm not using pass
to generate an otp. I have MFA access set up on my two profiles and am using a software based MFA device. If I include the mfa_serial
identifier in my profile I get prompted to enter the otp but it still doesn't work.
Any ideas? Thanks for your time.
Same for me, i get below error
gpg: XXXXXXXXXXXXXXXXXXXXXXXXX: skipped: No public ke
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.
aws-vault: error: exec: Failed to get credentials for dil-icompass-dev: exit status 1
Despite what I stated above I think this is some how related to #686. I think aws-vault
creates a subshell (for some or all of its subcommands?) where for whatever reason the setting of GPG_TTY
is not inherited and so returns "not a tty".
changed AWS_VAULT_BACKEND=pass
to AWS_VAULT_BACKEND=file
and it worked.
Command =
export AWS_VAULT_BACKEND=file
export GPG_TTY="$( tty )"